Large-Scale Mamba Ransomware Attacks on the Rise Again

The notorious Mamba ransomware that paralyzed the the San Francisco Municipal Transportation Agency back in 2016 has resurfaced. This time the criminals behind the the large-scale attacks have refocused their attention on corporations around the world.

Mamba Ransomware Reactivated Once Again

One of the well-known viruses that has resurfaced in a new large-scale attack campaign is the infamous Mamba ransomware. Security experts noticed the incoming wave in a series of intrusion attempts against corporations worldwide. The shifted focus seems to be a new strategy devised by the criminals behind the campaign. It is not known if the current attack is backed by the same criminals as before or a new collective has emerged. The Mamba ransomware known primarily for its malware HDDCRyptor was able to cause devastating attacks San Francisco’s subway last year.

The first major attacks associated with the threat happened in September 2016 when experts from Morphus Labs alerted that the virus samples were discovered on systems owned by a major energy company in Brazil that also has branches in the United States and India.

Mamba Ransomware Attacks Corporations Worldwide

The security experts reveal that the main victims of the attacks seem to be large corporations and company offices located in Brazil and Saudi Arabia. It is expected that the list may grow to other countries and regions as well.

Mamba ransomware follows the well-known attack vectors associated with prior versions. It uses a two-stage infection pattern that seeks to infiltrate the computer network first. When this is done the psexec utility is used to execute the malware on the target hosts. The full analysis shows that the Mamba ransomware samples set up the environment on the system as defined by the hackers:

The preparation stage creates a folder on the main system partition (C:) called “xampp” and a subdirectory called “http”. This is a reference to the famous web hosting package used frequently by system administrators. Setting up a path like this may indicate a legitimate XAMPP installation with a web server. As the target hosts probably have services installed this would not raise suspicion.

The DiskCryptor utility is then copied to the new folder and the specialized Windows driver is installed on the victim computer. A service is registered as a system service called DefragmentService. Once this is done the machine is rebooted and the Mamba ransomware service is initiated.

Next the encryption process is started. As the DiskCryptor service is started at boot service it is able to misconfigure the bootloader and affect all available system partitions.

During the infection phase the virus harvests detailed information about the host computer. Depending on the hardware components and software configuration a 32 or 64-bit version is chosen. The analysts discovered that the Mambo ransomware samples grant the DiskCryptor utility privileges for accessing all critical operating system components.

Once all steps have been made the bootloader is erased and the operating system is no longer accessible. The Mamba ransomware message is hardcoded into the overwritten loader itself. One of the captured samples reads the following note:

The captured samples reveal that the users are using two email addresses: one of the hosted on Yandex and the other one on Protonmail. The images showcase that some of the letters are actually from the Cyrillic alphabet, combined with the fact that an inbox is hosted on Yandex, reveals the fact that the criminals may be Russian-speaking.